Created: (JBWEB-107) Cross Domain JSESSIONID Cookie

Cross Domain JSESSIONID Cookie
------------------------------

                 Key: JBWEB-107
                 URL: http://ji
ra.jboss.com/jira/browse/JBWEB-107
             Project: JBoss Web
          Issue Type: Feature Request
      Security Level: Public (Everyone can see)
          Components: Tomcat Module
            Reporter: Mike Millson
         Assigned To: Mladen Turk


Currently the JSESSIONID cookie domain is set to the domain
name of the Host that emits the cookie (e.g.
www.domain.com). This is an issue with customers using
Aliases (e.g. secure.domain.com, zzz.domain.com, etc.), as
the session is lost when switching between the main domain
and any aliases. In these cases, it would be useful to be
able to specify the domain to be "domain.com" so
the same JSESSIONID cookie is used across the aliases and
converges to the same session.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the
administrators: http://jira.jboss.com/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atl
assian.com/software/jira

        
_______________________________________________
jboss-jira mailing list
jboss-jiralists.jboss.org
h
ttps://lists.jboss.org/mailman/listinfo/jboss-jira

    [ http://jira.jboss.com/jira/browse/JBWEB
-107?page=comments#action_12412751 ] 
            
Remy Maucherat commented on JBWEB-107:
--------------------------------------

Support for cookie configuration will be provided, but I
don't want to rush a hack for it, sorry. Please provide a
custom patch if the customer really needs this feature right
now.

> Cross Domain JSESSIONID Cookie
> ------------------------------
>
>                 Key: JBWEB-107
>                 URL: http://ji
ra.jboss.com/jira/browse/JBWEB-107
>             Project: JBoss Web
>          Issue Type: Feature Request
>      Security Level: Public(Everyone can see) 
>          Components: Tomcat Module
>            Reporter: Mike Millson
>         Assigned To: Remy Maucherat
>
> Currently the JSESSIONID cookie domain is set to the
domain name of the Host that emits the cookie (e.g.
www.domain.com). This is an issue with customers using
Aliases (e.g. secure.domain.com, zzz.domain.com, etc.), as
the session is lost when switching between the main domain
and any aliases. In these cases, it would be useful to be
able to specify the domain to be "domain.com" so
the same JSESSIONID cookie is used across the aliases and
converges to the same session.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the
administrators: http://jira.jboss.com/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atl
assian.com/software/jira

        
_______________________________________________
jboss-jira mailing list
jboss-jiralists.jboss.org
h
ttps://lists.jboss.org/mailman/listinfo/jboss-jira

     [ 
http://jira.jboss.com/jira/browse/JBWEB-107?page=all ]

Mike Millson updated JBWEB-107:
-------------------------------

    Attachment: SessionCookiePathValve.java

> Cross Domain JSESSIONID Cookie
> ------------------------------
>
>                 Key: JBWEB-107
>                 URL: http://ji
ra.jboss.com/jira/browse/JBWEB-107
>             Project: JBoss Web
>          Issue Type: Feature Request
>      Security Level: Public(Everyone can see) 
>          Components: Tomcat Module
>            Reporter: Mike Millson
>         Assigned To: Remy Maucherat
>         Attachments: SessionCookiePathValve.java
>
>
> Currently the JSESSIONID cookie domain is set to the
domain name of the Host that emits the cookie (e.g.
www.domain.com). This is an issue with customers using
Aliases (e.g. secure.domain.com, zzz.domain.com, etc.), as
the session is lost when switching between the main domain
and any aliases. In these cases, it would be useful to be
able to specify the domain to be "domain.com" so
the same JSESSIONID cookie is used across the aliases and
converges to the same session.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the
administrators: http://jira.jboss.com/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atl
assian.com/software/jira

        
_______________________________________________
jboss-jira mailing list
jboss-jiralists.jboss.org
h
ttps://lists.jboss.org/mailman/listinfo/jboss-jira

    [ http://jira.jboss.com/jira/browse/JBWEB
-107?page=comments#action_12413616 ] 
            
Remy Maucherat commented on JBWEB-107:
--------------------------------------

You can wrap. I am not implementing this right now, since
the next servlet spec will add session cookie configuration,
and I don't want to add some duplicate conflicting
configuration as part of a quick hack.

> Cross Domain JSESSIONID Cookie
> ------------------------------
>
>                 Key: JBWEB-107
>                 URL: http://ji
ra.jboss.com/jira/browse/JBWEB-107
>             Project: JBoss Web
>          Issue Type: Feature Request
>      Security Level: Public(Everyone can see) 
>          Components: Tomcat Module
>            Reporter: Mike Millson
>         Assigned To: Remy Maucherat
>         Attachments: SessionCookiePathValve.java
>
>
> Currently the JSESSIONID cookie domain is set to the
domain name of the Host that emits the cookie (e.g.
www.domain.com). This is an issue with customers using
Aliases (e.g. secure.domain.com, zzz.domain.com, etc.), as
the session is lost when switching between the main domain
and any aliases. In these cases, it would be useful to be
able to specify the domain to be "domain.com" so
the same JSESSIONID cookie is used across the aliases and
converges to the same session.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the
administrators: http://jira.jboss.com/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atl
assian.com/software/jira

        
_______________________________________________
jboss-jira mailing list
jboss-jiralists.jboss.org
h
ttps://lists.jboss.org/mailman/listinfo/jboss-jira